The FTC Safeguards Rule under the Gramm-Leach-Bliley Act requires every tax preparation business — including solo preparers working from home — to maintain a Written Information Security Plan (WISP).
The IRS has confirmed this through IRS Publication 5708 and its annual Security Summit guidance.
Failure to maintain a WISP can result in EFIN suspension, Circular 230 disciplinary action, FTC civil penalties, and civil liability to affected clients.
This course fulfills the requirement and gives you a finished, compliant plan before you leave.
24 hrs
IRS notification deadline after discovering a suspected or confirmed data breach
$0
Size exemption — solo preparers face the same legal obligation as 50-person firms
1×/yr
Minimum annual review required — plus off-cycle updates after any material change
7 yrs
Recommended retention period for all breach incident documentation and records
5
Core elements required in every compliant WISP under the FTC Safeguards Rule
2023
Year the FTC Safeguards Rule was strengthened MFA now explicitly required for all client data systems
What you will master
Course modules
Four modules · 18 lessons · mapped to IRS Publication 5708 and the FTC Safeguards Rule
What Is a WISP & Who Needs One
Definition · legal basis · who is covered · real-world breach consequences
- 1.1 — Introduction & course overview: regulatory basis, four-module structure, how this course applies to your practice
- 1.2 — What is a WISP: the six questions every WISP must answer, three categories of protected data, what a WISP is NOT
- 1.3 — Who must have a WISP: the GLBA → FTC Safeguards Rule → Circular 230 chain, no size exemption, consequences of non-compliance
- 1.4 — Real-world breach examples: phishing, ransomware, insider threat, physical theft — and what happens to preparers without a WISP
Building Your WISP
Five core elements · risk assessment · coordinator · employee training · IRS template walkthrough
- 2.1 — The five core elements: coordinator, data inventory, written safeguards, vendor oversight, incident response plan — with solo-practice examples for each
- 2.2 — Conducting a risk assessment: four-step process, data inventory table, threat categories (external/internal/accidental), likelihood-impact rating framework
- 2.3 — Designating your Information Security Coordinator: required criteria, coordinator responsibilities, 2023 reporting requirement, sample WISP language
- 2.4 — Employee training requirements: who must be trained, minimum content, delivery methods, training log format — including seasonal preparers
- 2.5 — WISP template walkthrough: section-by-section guide to completing the IRS Security Summit template — common errors and how to avoid them
When Things Go Wrong
Breach response · IRS notification · client notification · documentation
- 3.1 — Recognizing a breach: what counts as a breach, how phishing attacks unfold, the moment the 24-hour clock starts
- 3.2 — Incident response plan step-by-step: four phases — contain, notify, assess/remediate, document — with a complete 48-hour timeline example
- 3.3 — Reporting to the IRS: Stakeholder Liaison notification within 24 hours, what to say, FBI IC3 report, software vendor fraud line, state agency notification
- 3.4 — Notifying clients: what to say and how to say it, IP PIN guidance, Form 14039, written notification template, 7-year documentation retention
Staying Compliant Year-Round
Annual review · passwords & MFA · vendor management · remote work · final exam
- 4.1 — Annual WISP review checklist: eight-section review, off-cycle update triggers, documenting the review, most commonly outdated sections
- 4.2 — Password policies & MFA: NIST 800-63B current guidance, 2023 MFA requirement for all client data systems, password manager implementation
- 4.3 — Vendor & third-party management: covered vendors, SOC 2 evaluation, required contract provisions, vendor offboarding, sample vendor register
- 4.4 — Remote work & device security: approved devices, VPN requirement, home network rules, mobile phone policies, annual home office audit
Who this course is for
Your complete reference guide for this course — all lessons, tables, and key concepts in one printable document. Keep it handy while studying or during your final exam.
Available to enrolled students only · Tax Year 2026
